How to debug the following CloudFormation error?

0

ConfigureRateBasedRule: CloudFormation did not receive a response from your Custom Resource. If you are using the Python cfn-response module, you may need to update your Lambda function code so that CloudFormation can attach the updated version.

AWSTemplateFormatVersion: 2010-09-09 
Description: >- 
  (SO0006) - AWS WAF Security Automations v2.2.0: This AWS CloudFormation 
  template helps you provision the AWS WAF Security Automations stack without 
  worrying about creating and configuring the underlying AWS infrastructure. 

Metadata: 
  'AWS::CloudFormation::Interface': 
    ParameterGroups: 
      - Label: 
          default: Protection List 
        Parameters: 
          - SqlInjectionProtectionParam 
          - CrossSiteScriptingProtectionParam 
          - ActivateHttpFloodProtectionParam 
          - ActivateScannersProbesProtectionParam 
          - ActivateReputationListsProtectionParam 
          - ActivateBadBotProtectionParam 
      - Label: 
          default: Settings 
        Parameters: 
          - EndpointType 
          - AccessLogBucket 
      - Label: 
          default: Advanced Settings 
        Parameters: 
          - RequestThreshold 
          - ErrorThreshold 
          - WAFBlockPeriod 
    ParameterLabels: 
      SqlInjectionProtectionParam: 
        default: Activate SQL Injection Protection 
      CrossSiteScriptingProtectionParam: 
        default: Activate Cross-site Scripting Protection 
      ActivateHttpFloodProtectionParam: 
        default: Activate HTTP Flood Protection 
      ActivateScannersProbesProtectionParam: 
        default: Activate Scanner & Probe Protection 
      ActivateReputationListsProtectionParam: 
        default: Activate Reputation List Protection 
      ActivateBadBotProtectionParam: 
        default: Activate Bad Bot Protection 
      EndpointType: 
        default: Endpoint Type 
      AccessLogBucket: 
        default: Access Log Bucket Name 
      RequestThreshold: 
        default: Request Threshold 
      ErrorThreshold: 
        default: Error Threshold 
      WAFBlockPeriod: 
        default: WAF Block Period 
Parameters: 
  SqlInjectionProtectionParam: 
    Type: String 
    Default: 'yes' 
    AllowedValues: 
      - 'yes' 
      - 'no' 
    Description: >- 
      Choose yes to enable the component designed to block common SQL injection 
      attacks. 
  CrossSiteScriptingProtectionParam: 
    Type: String 
    Default: 'yes' 
    AllowedValues: 
      - 'yes' 
      - 'no' 
    Description: Choose yes to enable the component designed to block common XSS attacks. 
  ActivateHttpFloodProtectionParam: 
    Type: String 
    Default: 'yes' 
    AllowedValues: 
      - 'yes' 
      - 'no' 
    Description: Choose yes to enable the component designed to block HTTP flood attacks. 
  ActivateScannersProbesProtectionParam: 
    Type: String 
    Default: 'yes' 
    AllowedValues: 
      - 'yes' 
      - 'no' 
    Description: Choose yes to enable the component designed to block scanners and probes. 
  ActivateReputationListsProtectionParam: 
    Type: String 
    Default: 'yes' 
    AllowedValues: 
      - 'yes' 
      - 'no' 
    Description: >- 
      Choose yes to block requests from IP addresses on third-party reputation 
      lists (supported lists: spamhaus, torproject, and emergingthreats). 
  ActivateBadBotProtectionParam: 
    Type: String 
    Default: 'yes' 
    AllowedValues: 
      - 'yes' 
      - 'no' 
    Description: >- 
      Choose yes to enable the component designed to block bad bots and content 
      scrapers. 
  EndpointType: 
    Type: String 
    Default: CloudFront 
    AllowedValues: 
      - CloudFront 
      - ALB 
    Description: Select the type of resource being used. 
  AccessLogBucket: 
    Type: String 
    Default: prod-logs-slicepay
    AllowedPattern: "^[a-zA-Z0-9-_.]+$" 
    Description: >- 
      Enter a name for the Amazon S3 bucket where you want to store access logs 
      files. This can be the name of either an existing S3 bucket, or a new 
      bucket that the template will create during stack launch (if it does not 
      find a matching bucket name). 
 
      The solution will modify the bucket's notification configuration to 
      trigger the Log Parser AWS Lambda function whenever a new log file is 
      saved in this bucket. More about bucket name restriction here: 
      http://amzn.to/1p1YlU5 
  RequestThreshold: 
    Type: Number 
    Default: 2000 
    MinValue: 2000 
    Description: >- 
      If you chose yes for the Activate HTTP Flood Protection parameter, enter 
      the maximum acceptable requests per FIVE-minute period per IP address. 
      Minimum value of 2000. If you chose to deactivate this protection, ignore 
      this parameter. 
  ErrorThreshold: 
    Type: Number 
    Default: 50 
    MinValue: 0 
    Description: >- 
      If you chose yes for the Activate Scanners & Probes Protection parameter, 
      enter the maximum acceptable bad requests per minute per IP. If you chose 
      to deactivate Scanners & Probes protection, ignore this parameter. 
  WAFBlockPeriod: 
    Type: Number 
    Default: 240 
    MinValue: 0 
    Description: >- 
      If you chose yes for the Activate Scanners & Probes Protection parameters, 
      enter the period (in minutes) to block applicable IP addresses. If you 
      chose to deactivate this protection, ignore this parameter. 
Conditions: 
  SqlInjectionProtectionActivated: !Equals  
    - !Ref SqlInjectionProtectionParam 
    - 'yes' 
  CrossSiteScriptingProtectionActivated: !Equals  
    - !Ref CrossSiteScriptingProtectionParam 
    - 'yes' 
  HttpFloodProtectionActivated: !Equals  
    - !Ref ActivateHttpFloodProtectionParam 
    - 'yes' 
  ScannersProbesProtectionActivated: !Equals  
    - !Ref ActivateScannersProbesProtectionParam 
    - 'yes' 
  ReputationListsProtectionActivated: !Equals  
    - !Ref ActivateReputationListsProtectionParam 
    - 'yes' 
  BadBotProtectionActivated: !Equals  
    - !Ref ActivateBadBotProtectionParam 
    - 'yes' 
  LogParserActivated: !Equals  
    - !Ref ActivateScannersProbesProtectionParam 
    - 'yes' 
  AlbEndpoint: !Equals  
    - !Ref EndpointType 
    - ALB 
  CloudFrontEndpoint: !Equals  
    - !Ref EndpointType 
    - CloudFront 
Mappings: 
  SourceCode: 
    General: 
      S3Bucket: solutions 
      KeyPrefix: aws-waf-security-automations/v2.2.0 
  Solution: 
    Data: 
      SendAnonymousUsageData: 'Yes' 
      LogLevel: INFO 
Resources: 
  AlbStack: 
    Type: 'AWS::CloudFormation::Stack' 
    Condition: AlbEndpoint 
    Properties: 
      TemplateURL: !Join  
        - / 
        - - 'https://s3.amazonaws.com' 
          - !Join  
            - '-' 
            - - !FindInMap  
                - SourceCode 
                - General 
                - S3Bucket 
              - !Ref 'AWS::Region' 
          - !FindInMap  
            - SourceCode 
            - General 
            - KeyPrefix 
          - aws-waf-security-automations-alb.template 
      Parameters: 
        SqlInjectionProtectionParam: !Ref SqlInjectionProtectionParam 
        CrossSiteScriptingProtectionParam: !Ref CrossSiteScriptingProtectionParam 
        ActivateHttpFloodProtectionParam: !Ref ActivateHttpFloodProtectionParam 
        ActivateScannersProbesProtectionParam: !Ref ActivateScannersProbesProtectionParam 
        ActivateReputationListsProtectionParam: !Ref ActivateReputationListsProtectionParam 
        ActivateBadBotProtectionParam: !Ref ActivateBadBotProtectionParam 
        AccessLogBucket: !Ref AccessLogBucket 
        WafApiType: waf-regional 
        WafArnPrefix: !Join  
          - '' 
          - - 'arn:aws:waf-regional:' 
            - !Ref 'AWS::Region' 
            - ':' 
        ParentStackName: !Ref 'AWS::StackName' 
  CloudFrontStack: 
    Type: 'AWS::CloudFormation::Stack' 
    Condition: CloudFrontEndpoint 
    Properties: 
      TemplateURL: !Join  
        - / 
        - - 'https://s3.amazonaws.com' 
          - !Join  
            - '-' 
            - - !FindInMap  
                - SourceCode 
                - General 
                - S3Bucket 
              - !Ref 'AWS::Region' 
          - !FindInMap  
            - SourceCode 
            - General 
            - KeyPrefix 
          - aws-waf-security-automations-cloudfront.template 
      Parameters: 
        SqlInjectionProtectionParam: !Ref SqlInjectionProtectionParam 
        CrossSiteScriptingProtectionParam: !Ref CrossSiteScriptingProtectionParam 
        ActivateHttpFloodProtectionParam: !Ref ActivateHttpFloodProtectionParam 
        ActivateScannersProbesProtectionParam: !Ref ActivateScannersProbesProtectionParam 
        ActivateReputationListsProtectionParam: !Ref ActivateReputationListsProtectionParam 
        ActivateBadBotProtectionParam: !Ref ActivateBadBotProtectionParam 
        AccessLogBucket: !Ref AccessLogBucket 
        WafApiType: waf 
        WafArnPrefix: 'arn:aws:waf::' 
        ParentStackName: !Ref 'AWS::StackName' 
  LambdaWAFLogParserFunction: 
    Type: 'AWS::Lambda::Function' 
    Condition: LogParserActivated 
    Properties: 
      Description: !Join  
        - '' 
        - - >- 
            This function parses access logs to identify suspicious behavior, 
            such as an abnormal amount of errors. It then blocks those IP 
            addresses for a customer-defined period of time. Parameters: 
          - !Ref ErrorThreshold 
          - ',' 
          - !Ref WAFBlockPeriod 
          - . 
      Handler: log-parser.lambda_handler 
      Role: !If  
        - AlbEndpoint 
        - !GetAtt AlbStack.Outputs.LambdaRoleLogParserArn 
        - !GetAtt CloudFrontStack.Outputs.LambdaRoleLogParserArn 
      Code: 
        S3Bucket: !Join  
          - '-' 
          - - !FindInMap  
              - SourceCode 
              - General 
              - S3Bucket 
            - !Ref 'AWS::Region' 
        S3Key: !Join  
          - / 
          - - !FindInMap  
              - SourceCode 
              - General 
              - KeyPrefix 
            - log-parser.zip 
      Environment: 
        Variables: 
          OUTPUT_BUCKET: !Ref AccessLogBucket 
          IP_SET_ID_LIST: !If  
            - AlbEndpoint 
            - !GetAtt AlbStack.Outputs.WAFLISTSet 
            - !GetAtt CloudFrontStack.Outputs.WAFLISTSet 
          IP_SET_ID_AUTO_BLOCK: !If  
            - AlbEndpoint 
            - !GetAtt AlbStack.Outputs.WAFScannersProbesSet 
            - !GetAtt CloudFrontStack.Outputs.WAFScannersProbesSet 
          LIST_BLOCK_PERIOD: !Ref WAFBlockPeriod 
          ERROR_PER_MINUTE_LIMIT: !Ref ErrorThreshold 
          SEND_ANONYMOUS_USAGE_DATA: !FindInMap  
            - Solution 
            - Data 
            - SendAnonymousUsageData 
          UUID: !GetAtt CreateUniqueID.UUID 
          LIMIT_IP_ADDRESS_RANGES_PER_IP_MATCH_CONDITION: '10000' 
          MAX_AGE_TO_UPDATE: '30' 
          REGION: !Ref 'AWS::Region' 
          LOG_TYPE: !If  
            - AlbEndpoint 
            - alb 
            - cloudfront 
          METRIC_NAME_PREFIX: !Join  
            - '' 
            - !Split  
              - '-' 
              - !Ref 'AWS::StackName' 
          LOG_LEVEL: !FindInMap  
            - Solution 
            - Data 
            - LogLevel 
          STACK_NAME: !Ref 'AWS::StackName' 
      Runtime: python3.11
      MemorySize: 512 
      Timeout: 300 
  LambdaInvokePermissionLogParser: 
    Type: 'AWS::Lambda::Permission' 
    Condition: LogParserActivated 
    Properties: 
      FunctionName: !GetAtt LambdaWAFLogParserFunction.Arn 
      Action: 'lambda:*' 
      Principal: s3.amazonaws.com 
      SourceAccount: !Ref 'AWS::AccountId' 
  LambdaWAFReputationListsParserFunction: 
    Type: 'AWS::Lambda::Function' 
    Condition: ReputationListsProtectionActivated 
    Properties: 
      Description: >- 
        This lambda function checks third-party IP reputation lists hourly for 
        new IP ranges to block. These lists include the Spamhaus Dont Route Or 
        Peer (DROP) and Extended Drop (EDROP) lists, Proofpoint Emerging 
        Threats IP list, and Tor exit node list. 
      Handler: reputation-lists-parser.handler 
      Role: !If  
        - AlbEndpoint 
        - !GetAtt AlbStack.Outputs.LambdaRoleReputationListsParserArn 
        - !GetAtt CloudFrontStack.Outputs.LambdaRoleReputationListsParserArn 
      Code: 
        S3Bucket: !Join  
          - '-' 
          - - !FindInMap  
              - SourceCode 
              - General 
              - S3Bucket 
            - !Ref 'AWS::Region' 
        S3Key: !Join  
          - / 
          - - !FindInMap  
              - SourceCode 
              - General 
              - KeyPrefix 
            - reputation-lists-parser.zip 
      Runtime: nodejs16.x 
      MemorySize: 128 
      Timeout: 300 
      Environment: 
        Variables: 
          SEND_ANONYMOUS_USAGE_DATA: !FindInMap  
            - Solution 
            - Data 
            - SendAnonymousUsageData 
          UUID: !GetAtt CreateUniqueID.UUID 
          METRIC_NAME_PREFIX: !Join  
            - '' 
            - !Split  
              - '-' 
              - !Ref 'AWS::StackName' 
          LOG_LEVEL: !FindInMap  
            - Solution 
            - Data 
            - LogLevel 
  LambdaWAFReputationListsParserEventsRule: 
    Type: 'AWS::Events::Rule' 
    Condition: ReputationListsProtectionActivated 
    Properties: 
      Description: Security Automations - WAF Reputation Lists 
      ScheduleExpression: rate(1 hour) 
      Targets: 
        - Arn: !GetAtt LambdaWAFReputationListsParserFunction.Arn 
          Id: LambdaWAFReputationListsParserFunction 
          Input: !Join  
            - '' 
            - - '{"lists":' 
              - |- 
                [ 
                  {"url":"https://www.spamhaus.org/drop/drop.txt"}, 
                  {"url":"https://check.torproject.org/exit-addresses", "prefix":"ExitAddress"}, 
                  {"url":"https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"} 
                ] 
              - ',"apiType":"' 
              - !If  
                - AlbEndpoint 
                - waf-regional 
                - waf 
              - '","region":"' 
              - !Ref 'AWS::Region' 
              - '",' 
              - '"ipSetIds": [' 
              - '"' 
              - !If  
                - AlbEndpoint 
                - !GetAtt AlbStack.Outputs.WAFReputationListsSet 
                - !GetAtt CloudFrontStack.Outputs.WAFReputationListsSet 
              - '"' 
              - ']}' 
  LambdaInvokePermissionReputationListsParser: 
    Type: 'AWS::Lambda::Permission' 
    Condition: ReputationListsProtectionActivated 
    Properties: 
      FunctionName: !Ref LambdaWAFReputationListsParserFunction 
      Action: 'lambda:InvokeFunction' 
      Principal: events.amazonaws.com 
      SourceArn: !GetAtt LambdaWAFReputationListsParserEventsRule.Arn 
  LambdaWAFBadBotParser
1 Answer
0
Accepted Answer

Hi There

It does not look like the entire CF template has been posted in your question, however tt looks like you are deploying a very early version (2.2.0) of this solution: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/aws-cloudformation-templates.html

Can you try the latest version?

profile pictureAWS
EXPERT
Matt-B
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions